d31c17ea04
fix
2023-01-07 14:31:14 -05:00
41d116aa2f
lintian
2023-01-07 14:30:12 -05:00
8b584c570a
lintian
2022-06-29 16:06:22 -04:00
1c51d15649
lintian
2022-06-29 15:23:53 -04:00
6eba53767f
lintian
2022-06-29 14:17:52 -04:00
cfae7de6a8
lintian
2022-06-29 09:58:37 -04:00
2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00
be8c10496f
fix faillock implementation
...
dovecot / ssh are exempted
2021-09-01 15:55:53 -04:00
582492d6d8
port from pam_tally2 to pam_faillock
...
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
2bf0e7471c
port from pam_tally2 to pam_faillock
...
since pam_tally2 was deprecated upstream
2021-08-10 15:11:01 -04:00
2aea74bd71
renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info
...
renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x
renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc
2021-08-10 15:06:04 -04:00
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
2021-08-03 12:56:31 -04:00
8eae635668
update lintian tag name
2021-08-03 11:51:31 -04:00
b3e34f7f43
comment
2021-07-25 11:27:07 -04:00
7e128636b3
improve LKRG VirtualBox host configuration
...
as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
2021-07-25 11:26:20 -04:00
257cef24ba
add LKRG compatibility settings automation for VirtualBox hosts
...
https://github.com/openwall/lkrg/issues/82
2021-07-24 18:03:40 -04:00
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
9622f28e25
skip counting failed login attempts from dovecot
...
Failed dovecot logins should not result in account getting locked.
revert "use pam_tally2 only for login"
2021-01-27 05:49:34 -05:00
6757104aa4
use pam_tally2 only for login
...
to skip counting failed login attempts over ssh and mail login
2021-01-24 05:04:48 -05:00
5c81e1f23f
import from anon-gpg-conf
2020-04-06 09:25:45 -04:00
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
...
since it has its own user help output
so it shows before pam tally2 info
to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
...
Thereby fix apparmor issue.
> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
It is no longer required, because...
existing linux user accounts:
* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.
new linux user accounts (created at first boot):
* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
...
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
19cc6d7555
pam description
2019-12-08 02:10:43 -05:00
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
...
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
03e8023847
output
2019-11-22 14:11:30 -05:00
2e73c053b5
fix lintian warning
2019-11-09 12:55:00 +00:00
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
1e4d0ea1d0
fix lintian warning
2019-10-21 09:55:05 +00:00
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
...
thanks to home folder permission lockdown
https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
41b2819ec8
PAM: abort on locked password
...
to avoid needlessly bumping pam_tally2 counter
https://forums.whonix.org/t/restrict-root-access/7658/1
2019-08-17 10:33:47 +00:00
ed90d8b025
change default umask to 027
...
as per:
https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
ff9bc1d7ea
informational output during PAM:
...
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
454e135822
pam_tally2.so even_deny_root
2019-08-15 07:33:41 +00:00
63b476221c
use requisite rather than required to avoid asking for password needlessly
...
if login will fail anyhow
2019-08-15 07:30:56 +00:00
8fdc77fed5
output to stdout
2019-08-14 10:33:23 +00:00
15094cab4f
avoid ' character in usr/share/pam-configs; in description
2019-08-14 09:36:30 +00:00
97d1945e61
no log needed, informative output to stdout instead
2019-08-14 09:32:58 +00:00
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown
2019-08-14 09:31:58 +00:00
ce06fdf911
formatting
2019-08-14 05:15:53 -04:00
21489111d1
run permission lockdown during pam
...
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
52df8dc014
optional pam_umask.so usergroups umask=006
2019-08-14 07:37:21 +00:00
2f37a66fd0
description
2019-08-11 10:31:29 +00:00
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default
2019-08-11 10:30:51 +00:00
1eb806a03e
pam_mkhomedir.so umask=006
2019-08-11 10:29:49 +00:00
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on
...
/usr/share/pam-configs/mkhomedir
2019-08-11 10:28:55 +00:00
